How to integrate Okta to User Provisioning

Prev Next

If your organization uses Okta to manage employee access to tools and services, you can utilize Okta's Provisioning feature to automatically provide your users with access to DocuWare via SCIM. This guide will walk you through the steps to configure both DocuWare and Okta to set up provisioning for your organization.

With DocuWare 7.12, User Provisioning supports the following provisioning features:

  • Automatic User Creation: Users assigned to the Reftab application in Okta are automatically created as users in Docuware.

  • Attribute Synchronization: Any updates to user attributes (userName, email, activeness) in Okta will be reflected in Docuware.

  • User Deactivation: When users are deactivated in Okta, they are marked as disabled in Docuware, preventing them from logging in.

Register DocuWare in Okta

  1. Login to your Okta organization and navigate to this view:


  2. In the Admin view navigate to Applications > Applications

  3. In the Applications page, click on Create App Integration

  4. In the pop-up, for a sign-in method choose SAML 2.0 and then click Next. This sign-in method is not actually used, but has to be chosen.

  5. In the first tab General Settings on the Create SAML Integration page, enter an app name and click Next.

  6. On the next tab - Configure SAML, enter a Single sign-on URL and an Audience URI. Actual values does not matter, as they are not  actually used. You may use http://www.okta.com. Then click Next.

  7. On the Feedback tab, activate the option “This is an internal app that we have created” and click Finish.

  8. In the just created application click on the General tab, on App Setting click Edit, than select SCIM for a provisioning method and click Save.


  9. Scroll down to App Embed Link, then copy the ID after /home/ on the Embed Link - as shown on picture below. Here it is trial-5967756_oktascimintegration_1

  10. Don’t close the Okta configuration and switch to Docuware Configuration.

Connect DocuWare and Okta

  1. Go to DocuWare Configuration > Integration > App Registration.

  2. Select New app registration.

  3. In the Create Application Registration pop-up, choose Web application, then click Continue.

  4. Configure your app registration:

    1. Enter a Name for the app registration

    2. Add a Redirect URL with the value

    3. https://system-admin.okta.com/admin/app/cpc/{ID}/oauth/callback

    4. where ID should be replaced by the value, which you have copied in step 9 above.

    5. In the demo case final URL is

    6. https://system-admin.okta.com/admin/app/cpc/trial-5967756_oktascimintegration_1/oauth/callback

    7. As Grant type select Authorization Code.

    8. In Allowed Resources select User Provisioning.

    9. Confirm with Save.

  5. From the created App Registration copy the values of

    1. Application (Client) ID

    2. Client secret

  6. Switch to DocuWare Configuration > General > User Provisioning.

  7. Activate the option Enable User Provisioning.

  8. In the dropdown Identity Provider select Okta.

  9. In the dropdown Application Registration select the created app registration in the plugin App Registrations (Okta SCIM Integration) (step 6-10 in the chaptre Configurin Okta).

  10. Do not forget to Save.

  11. Copy these links:

    1. SCIM connector base URL

    2. Authorization Endpoint

    3. Access token endpoint URI

Configuring Okta

  1. Switch back to Oka application. Go to Provisioning > Integration > Edit and enter the following inputs:

    1. SCIM connector base URL:
      https://usermgmt-testlatest.docuware.cloud/DocuWare/usersyncbackend/okta/scim - copied from step 11.a of the previous chaptre.

    2. Unique identifier field for users: userName

    3. Supported provisioning actions:
      check Import New Users and Profile Updates, Push New Users, Push Profile Updates, Push Groups, Import Groups

    4. Authentication Mode: select OAuth 2

    5. Access token endpoint URI: paste the URI copied from 11.c

    6. Authorization endpoint URI  → paste the URI copied from 11.b

    7. Client ID: paste the copied in step 5.a
      from Configuring DocuWare Application (Client) ID

    8. Client Secret → paste the copied in step 5.b
      from Configuring DocuWare Authorization endpoint


  2. After saving, navigate back to the Integration tab and at the bottom of the page click the authentication button to generate a token

    1. Provide your DocuWare’s admin user credentials

    2. An updated message will appear ensuring the token is successfully generated

  3. A new App tab should appear under Provisioning tab, on Provisioning to App click Edit, then check Create Users, Update User Attributes, Deactivate Users and Save.

  4. Scroll down to Okta SCIM Integration Attribute Mappings and click on Go to Profile Editor.

5. In the Profile Editor click on Mappings

  1. On each and every mapping except Primary Email > email in the tab Okta SCIM Integration User Profile click on the yellow arrow and select Do not map. When all mappings except the Email one are unset, click Save Mappings at the bottom of the window.


  1. Navigate to the second tab Okta User User Profile and repeat the same procedure for each and every available mapping except Primary Email > appuser.email.

  1. After all mappings except the one for the Username and the one for the Email are unset, you are safe to delete them from Profile Editor by pressing [X] and then Delete Attribute. As a result all Attributes except for Username and Email should be deleted. Username is the only attribute that is required and Email is optional, but should remain mapped in order to receive emails when provisioned.

    Action:

    Result:

9. Provisioning configurations are all set and you can continue with using it.

Provisioning users

  1. Navigate to the recently created Okta application. Go to Assignments > Assign > Assign to people and then assign a person you want to be provisioned.

  1. Find your successfully created user in DocuWare